The present invention relates to an information-processing apparatus, a control method, a program and a recording medium. More particularly, the present invention relates to an information-processing apparatus suitable for execution of processing related to encryption, a control method for the information-processing apparatus, a program describing the control method and a recording medium for storing the program.
Exchanges of digital data among a variety of apparatus have been becoming popular. Even if digital data is used illegally, the quality of the digital data does not deteriorate. The quality of digital data includes pictures and sounds. Thus, a countermeasure for preventing digital data from being abused is absolutely required. Such a countermeasure is disclosed in documents such as Patent Document 1.
In order to avoid misuse of digital data, the digital data is encrypted. A variety of encryption methods has been proposed. By taking a CBC (Cipher Block Chaining) method as an example, encryption and decryption techniques are explained as follows.
The CBC method, which is one of encryption techniques, is a technique for block chaining. To put it in detail, in accordance with the CBC method, a preceding block of an encrypted text is added to a current block of a clear text to be encrypted into a block of the encrypted text. FIG. 1 is a diagram showing a typical circuit for carrying an encryption process based on the CBC method.
Data to be encrypted is blocked into predetermined units each having a typical size of 16 bytes. The first block is supplied to a exclusive-or circuit 11-1, the second block following the first block is supplied to a exclusive-or circuit 11-2, the third block following the second block is supplied to a exclusive-or circuit 11-3 and so on. In this way, data blocks of the clear text are supplied sequentially to the exclusive-or circuits 11-1 to 11-N provided at N stages where N is a predetermined number.
The first block output by the exclusive-or circuit 11-1 is supplied to an encryption unit 12-1. The encryption unit 12-1 encrypts the first block supplied thereto by using a key Ek. In this way, the first block is encrypted.
The encrypted first block output by the encryption unit 12-1 is also supplied to the exclusive-or circuit 11-2 for carrying out an exclusive-or process on the first encrypted first block and the second clear block. The result of the exclusive-or process is supplied to the encryption unit 12-2 for encrypting the result by using the key Ek.
As described above, in an encryption process adopting the CBC method, an exclusive-or process is carried on an encrypted immediately-preceding block of a clear text and a current block following the immediately preceding block to give a result, which is then subjected to an encryption process using a predetermined key. The encrypted result is then subjected to an exclusive-or process in conjunction with a block following the current block. In this way, a block is chained to an immediately preceding block before being chained to an immediately succeeding block.
The second and subsequent blocks are each subjected to an exclusive-or process in conjunction with an encrypted immediately preceding block. Since no block precedes the first block, however, no block can be subjected to an exclusive-or process in conjunction with the first block. For this reason, in the configuration of the circuit for carrying the encryption process, the first block is subjected to an exclusive-or process in conjunction with an initialization vector IV.
Next, a circuit for carrying out a decryption process adopting the CBC method is explained by referring to FIG. 2.
Data encrypted as described above is blocked into predetermined units each having a typical size of 16 bytes. The first block is supplied to a decryption unit 22-1, the second block following the first block is supplied to a decryption unit 22-2, the third block following the second block is supplied to a decryption unit 22-3 and so on. In this way, data blocks of the encrypted text are supplied to the decryption units 22-1 to 22-N provided at N stages where N is a predetermined number.
The decryption units 22-1 to 22-N each decrypt a data block supplied thereto by using a key Dk. Pieces of data output by the decryption units 22-1 to 22-N are supplied to exclusive-or circuits 21-1 to 21-N associated with the decryption units 22-1 to 22-N respectively. Each of the exclusive-or circuits 21-2 to 21-N also receives a data block supplied to the one of the decryption units 22-1 to 22-N-1 at the stages preceding the exclusive-or circuits 21-2 to 21-N respectively.
As described above, in a decryption process adopting the CBC method, an exclusive-or process is carried on an encrypted immediately-preceding block of an encrypted text and a current block following the immediately preceding block but completing the decryption process to give the final decryption result of the current block.
The second and subsequent blocks output by the second and subsequent decryption units 22-2 to 22-N respectively are each subjected to an exclusive-or process in conjunction with an encrypted immediately-preceding block. Since no encrypted block precedes the first block output by the first decryption unit 22-1, however, no encrypted preceding block can be subjected to an exclusive-or process in conjunction with the first block output by the first decryption unit 22-1. For this reason, in the configuration of the circuit for carrying out the decryption process, the first block output by the first decryption unit 22-1 is subjected to an exclusive-or process in conjunction with an initialization vector IV.
For more information on the encryption and decryption processes described above, refer to Patent Document 1, i.e., Specifications of Patent No. 3252706.
As described above, in an encryption process adopting the CBC method, an initialization vector IV is added to the first block because no block preceding the first block. However, the first block can be encrypted at a stage following the exclusive-or process without adding anything to the first block, that is, without adding the initialization vector IV to the first block. In this case, however, the following problem is raised.
For example, consider a case in which an electronic mail is taken as an example. The format of an electronic mail is a pattern including a series of an addressee, a sender, a subject and a body text. When data of a clear text having such a pattern is encrypted, the data obtained as a result of encryption itself is also data of a pattern. By paying attention to such a pattern, a third party serving as an attacker is capable of decoding an encrypted text to result in parts of the clear text.
In order to solve the above problem, a clear text having a pattern needs to be encrypted into encrypted data of an encrypted text having no pattern. In order to result in an encrypted text having no pattern, an encryption process is carried out by adding an initialization vector IV. An encryption process carried out on blocks of even a clear text having a pattern by introducing an additional initialization vector IV results in an encrypted text without the same pattern. Thus, it is difficult to decode the encrypted text. In addition, by adding an initialization vector IV in an encryption process, the encryption process is capable of exhibiting an effect of avoiding a wrong doing. An example of the wrong doing is guessing an encryption key used as the only key in encryption of data having a large amount.
For the reason described above, in many cases, there is provided a configuration in which an initialization vector IV is added to the first block before carrying out an encryption process on the initialization vector IV and the first block.
By the way, in some cases, a drive for reading out data from a predetermined recording medium and a host for receiving the data from the drive authenticate each other prior to generation of a session key to be used in encryption of the data before transmission of the data. An example of the host is a personal computer. In such a situation, the CBC method described above can be adopted. In such a case, by properly updating the initialization vector IV, it will be difficult to identify that the clear data is data having a special pattern. In addition, it will also be possible to prevent the data from being replaced or interpolated.
For a case in which the drive and the host authenticate each other, for example, data is generated in the form of an initialization vector IV plus content data. Then, an encryption key is derived from a content key and the initialization vector IV. Finally, the encryption key is used as a key for encrypting the content data.
By adding an initialization vector IV with a typical size of 16 bytes to the content data read out from the recording medium as described above, however, a special sector size of typically 2,064 bytes must be brought about to a PC drive interface of 2,048 bytes, resulting in a format different from the standard one. In consequence, the addition of the initialization vector IV raises a problem of poor compatibility with the environment of the PC due to, among others, the fact that a common ATAPI device driver cannot be used. In order to solve the problem of poor compatibility with the environment of the PC, software and hardware configurations need to be changed to special ones, which raise other problems such as an increase in cost, difficulties in maintaining compatibility and more time required for carrying out processing.